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The Open Packages Project 


The FreeBSD Ports Collection is a mechanism for installing 
3rd party software on FreeBSD. NetBSD and OpenBSD both 
have similar systems that originated from the work done on 
FreeBSD. Darwin doens't have a packaging system, but I 
know of at least two people who have been porting the 
FreeBSD collection over to Darwin. 

This may seem like an ideal setup for each project, 
however, there is a huge amount of redundancy and 
duplication of work going on. True to their own project 
goals, NetBSDhas been enhancing their packaging system, 
called pkgsrc, to operate on multiple platforms and have 
added several enhancements. Similarly, the OpenBSD 
project has streamlined their ports collection for speed and 
security. 

While these enhancements were going on in NetBSD and 
OpenBSD, the FreeBSD ports collection was growing to an 
enormous size of 5000+ packages. Because of this growth, 
they have also made several enhancements that reduce the 
overall number of files in the ports collection. 

With each group maintaining a separate packaging 
system, a single 3rd party application has to be maintained 
by a different person in each system, with the syntax being 
slightly different for each system. As Darwin matured, it 
became evident that this same redundancy was going to 
take place when the ports collection got ported over to it. 

There had been talk amongst the BSD developers for a 
long time about merging code bases in areas where the 
projects overlap. It wasn't hard tosee that the Ports 
collection was a prime area that merging code bases would 
significantly reduce redundancy and also lead to 
improvements as the groups merged in their enhancements. 

I also realized that the project would have to be 
independent of the individual BSD projects to avoid any of 
the politics and allow it to have its own objectives and 
goals. 

As I began the project, I first set out to see how much 
support I could gather for it. I began by recruiting the core 
developers of the existing ports/pkgsrc collections and 
created a mailing list so we could begin a discussion about 
what enhancements we wanted to merge in from each 
existing project. 

We finally agreed that we would start with the NetBSD 


pkgsrc collection as the base, because portability was our 
primary goal. We also decided to take the file naming 
enhancements from FreeBSD to reduce the overall inode 
usage. Marc Espie donated his streamlined version of 
make(l), that includes many speed improvements. From the 
OpenBSD project we are taking FAKE and FLAVORS, as well 
as a few other features. 

After the developers began discussing features, I set out 
to get some support for the project. Greg Sutter donated 
the domain http://www.openpackages.org and the project 
officially became "The Open Packages Project". I contacted 
SeraSystems.com and they donated a machine for us to use 
as our CVS server. ISC is donating the bandwidth to keep 
the box onLine. 

Apple has agreed to adopt Open Packages as it's official 
packaging system for Darwin. FreshPorts.org has also 
agreed to support the project by making changes to 
packages available on the site. 

Infrastructure changes are taking up the bulk of our time 
right now, as the project progresses. However, we have 
readched our first milestone, and our second one is rapidly 
approaching. 

The project now builds on most machines and installs the 
test package. We are currently working on adding the 
functionality from OpenBSD and dealing with how to 
implement security audits properly. 

Our target platform is BSD, however we are accepting 
patches to make this run on other systems, such as Linux, 
Solaris, and BeOS. 

As with all open source projects, we need more 
developers. If you already have commit rights on a BSD 
project, or are an official developer of a non-BSD project, 
we will set you up on our CVS server. 

We have lots of work to be done, so drop by and download 
what we have available in AnonCVS and test it on your 
system. We also have a few mailing lists that you should 
join. This project has lots to offer BSD and the open source 
community as a whole. 

-Chris Coleman 
chrisc@daemonnews.org 
http://www.openpackages.org 
The New Standard in Open Source Binaries 






Raymond Hicks «Jiesel@bsdvault.net> 


Installing 


PHP stands for PHP: Hypertext Processor. It is one of the 
Latest server-side embedded scripting languages and is 
quickly gaining popularity. PHP is a very flexible language 
that allows you to do a variety of things including talking 
to databases and sending email. PHP can work in one of 
several ways, the most popular being with a backend 
database. 

So how do we get this new language? If you are running 
FreeBSD you should find a module in your ports called 
www/mod_php4. This port will automatically install itself. 
If you have not yet installed and configured Apache then 
it will do that for you as well. Although this would work 
in most cases, we will go over the total process to keep 
fresh in our minds how to deal effectively with Apache 
modules. You can download the latest version of PHP from 
h tt p: //www. php.net. 


Building PHP 

In order to use PHP, you will need to have 
Apache installed on your box. You can run PHP 
with any web server, but because I run only 
Apache, I would be of little help telling you 
how to run it on anything else. That being 
said, it is time to visit apache.org and get 
yourself the latest/greatest version of 
Apache. Now is a very good time to decide 
if will be using a database backend. If you 
choose to use a database, compile your 
Apache with support for your database 
system. I use MySQL and find it does a 
great job. 
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processor speed and the type of box being used. You should 
see several status reports as it detects certain things on or 
about your system. Once you get back to the command 
prompt then it is time to build the sources! 

# make 

# make install 


Uncompress your Apache archive and use the provided 
script to configure it properly: 

# tar -xzvf apache-1.3.12.tar.gz 

# cd apache-1.3.12 

# ./configure -prefix=/usr/local/apache 

DO NOT COMPILE AT THIS TIME 


Now we must build in PHP support and reconfigure so 
Apache can build PHP into its base configuration. We 
unpack and configure the PHP archive: 

# tar -xzvf php-4.0.2.tar.gz 

# cd ../php-4.0.2 

# ./configure -with-mysql \ 

-with-apache=../apache-1.3.12 


This part of the install can take some time, so be sure ycfu 
have read through and become familiar with the coming 
steps and are comfortable with what lies ahead. 

Now that PHP has configured and installed itself it is time 
to build it into Apache. 

# cd ../apache-1.3.12 

# ./configure \ 

-activate-module=src/modules/php4/libphp4.a\ 

-prefix=/usr/local/apache 

# make 

# make install 


Note that the configure script above can take several 
command line options. The most important ones are the 
path to your web server and your database type (if any). 

If you are running a PHP version prior to 4.0.2 the you 
will need to add the "enable-track-vars" switch. This will 
enable you to preserve data from one screen to another. It 
also makes it much easier when dealing with user sessions 
as found in popular web portal systems such as PHPNUKE. 
This is compiled in by default with versions 4.0.2 through 
current. The configure script runtime will vary with system 


Finally you will need to edit your Apache configuration 
file (httpd . conf ). 

The following lines tell your web server that files ending 
in ". php" will handled by the PHP module you installed. 

AddType application/x-httpd 
php .php 


Restart Apache or start it for the first time. This is done 
by running the apachectl command found in 

/usr/local/sbin 

# cd /usr/local/sbin 

# ./apachectl start I restart I stop 


Configuration of PHP 

The configuration file lies in /usr/iocai/lib directory. 
It should be called php.ini. This is not typically installed 
by default so you will need to copy it to that location. 

# cd php-4.0.2 

# cp php.ini-dist /usr/local/lib/php.ini 


Getting started using PHP 

Here is a standard test file you can use to determine if 
PHP is running correctly on your web server: 

<html> 

<title>Your title here</title> 

<body> 

This is part of the message was not created with 
PHP. 

<?php echo("This part was created with PHP");?> 
</body> 

W </html> 


There are many ways to specify PHP code but I will use the 
most common which is <?php...>. This is case sensitive 
and separated by semicolons just like Perl. It is even more 
simple to declare variables in PHP. The following is an 
example of how to declare some simple variables and call 
them. 
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<?php 

$sysname = 'FreeBSD'; 

$banner = "I love $sysname!"; 

echo $banner; 

?> 

As you can see this is very simple and very much like Perl. 
Now let's take a look at some of the predefined variables 
that come with PHP. The PHP website has a complete list 
of the variables. 

<?php 

echo ("you are using $HTTP_USER_AGENT browser."); 

echo ("compliments of PHP version 

".phpversion()); 

?> 

This little gem is an excellent example of the power of 
built-in variables. This points out two independent 
concepts that are built into PHP as well. The first is the 
predefined variable $HTTP_USER_AGENT which determines 
the user's browser type and print it to the screen. The 
second is the phpversion() function which tells us which 
version of PHP we are currently using. There are too many 
predefined functions to list in this document so be sure to 
read the manual for all of them. 

Below is a snippet of code I "borrowed" from a friend to 


show if someone is using FreeBSD or not. 

<?php 

echo("you are using $HTTP_USER_AGENT browser."); 

if ( strpos(strtoupper("$HTTP_USER_AGENT") , 
"FreeBSD")>0) 

{ 

echo("You are running FreeBSD!!"); 

} ?> 

Here we exercise two more functions. The first is strpos. 
This function is used to find the position of a substring 
within a string. If the substring is found it assigns a value 
greater than 0. The second function is strtoupper which is 
used to simply convert a string to upper case. 

PHP makes for one of the best DBI's 

I have found it easier to use in the database arena than 
even ASP. I would like to go into more detail on how to use 
PHP to interact with your database, but that is something 
to look for in the next issue. For help with this or any other 
BSD-related issues please stop by http://bsdvault.net and 
ask around our message board, or visit us at #bsdvauit on 
irc.openprojects.net. 
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installing 

2BSD fora 

Firewall 


To build the most stable and security-patched system you 
can, you'll want to make sure you're running the latest 
version of FreeBSD-STABLE. When I built my last system, the 
March 9, 2001 version of FreeBSD 4.2 (dubbed either 4.2- 
STABLE, or 4.3-BETA #0 depending on how you look at it) 
was the latest snapshot in the 4.2-STABLE branch. For those 
of you new to FreeBSD, the STABLE branch is the version of 
the operating system that has all of the latest patches, 
bugfixes, and enhancements after the previous release was 
made. If you've installed FreeBSD-4.2 from CD-ROM, you 
probably installed 4.2-RELEASE, which is (simplisticaLLy) 
nothing more than a version of the 4.2-STABLE branch that 
was exhaustively tested, burned to CD-ROM and made 
available for sale. 

After the release date of 4.2-RELEASE (in late November, 
2000), the 4.2 tree continued to evolve and be patched 
after that point. Since there's no way the folks at 
FreeBSD.org can burn & sell CD-ROMs for each day's version 
of the 4.2 tree, 4.2-RELEASE is the only one made available 
for sale on CD, and subsequent snapshots of the 4.2-STABLE 
tree are only available on-line. Once 4.2-STABLE is 
sufficiently enhanced/patched and gets close to the release 
date of 4.3-RELEASE, the code enters a freeze and is 
officially called 4.3-BETA...even though it's one of the last 
snapshots in the 4.2-STABLE tree. So, 4.3-BETA code is, 
effectively, the last snapshot made from the 4.2-STABLE 
branch before it officially becomes 4.3-RELEASE. 

So, what are the benefits of loading 4.2-STABLE (or 4.3- 
BETA #0) rather than 4.2-RELEASE? Well, the biggest 
answer, if you're building a firewall like we are here, is that 
all of the security patches have been applied to the 0/S and 
the associated applications. For example, FreeBSD-4.2- 
RELEASE (which was released in November 2000) uses 
0penSSFI-2.2.0, which is a great product but also has a 
remote buffer overflow that wasn't discovered until early 
February, 2001. If a hacker exploits this vulnerability on 
your 4.2-RELEASE box, they can gain remote root access and 
ruin your day. The relevant info can be found on 
http://www.securityfocus.com. When you load FreeBSD-4.2- 
STABLE (or 4.3-BETA), by comparison, you're getting 
FreeBSD-4.2-RELEASE with all of the patches applied after 
the November 2000 release, so your system will have 
0penSSFI-2.3.0 (not 0penSSFI-2.2.0) which is not vulnerable 
to the remote buffer overflow. So loading the latest 


snapshot from the STABLE branch saves you a lot of time 
loading patches after your OS load is finished. 

Inventory your computer hardware and ensure that it is 
compatible with FreeBSD. The current compatibility list can 
be found in the FreeBSD 4.2 Release Notes. 

Download the boot floppy images: 

FTP to ftp://releng4.FreeBSD.org 

Change directory into 

/pub/FreeBSD/snapshots/i386/4.2-20010302- 
STABLE/ floppies ...where 4.2-20010302-STABLE is the 
directory that houses the latest snapshot - in this case, 
representing the 4.2 baseline, year 2001, month 03, and day 
02. Undoubtedly, when you get to the 
/pub/FreeBSD/snapshots /i3 8 6 directory there will 
definitely be a snapshot available that's newer than March 
2, 2001. Use the newer one since it'll have even more bug 
fixes, enhancements, etc. than the March 2, 20001 snapshot 
that I used when I built my system. 

Download the kern.fip and mfsroot.fip images & store 
them in your /tmp directory (on Linux or FreeBSD) or 
c:\windows\temp directory (for Windows), depending on 
what system you're downloading from. 

Download the floppy creation tools if you're a 
DOS/Windows users. 

FTP to ftp://ftp.FreeBSD.org 

Change directory into /pub/FreeBSD/tools 

Download the program, rawrite. exe, and store it in the 
same directory that you used, above. 

Create Boot Floppies 

If you're using Linux or FreeBSD, use the dd command as 
follows, and create one floppy from the kern.fip image, 
and another disk from the mfsroot.fip image. 

# dd if=/tmp/kern.flp of=/dev/fdO 

2880+1 records in 

2880+0 records out 

1474560 bytes transferred in 49.931306 secs 
(30135 bytes/sec) 

If you're using DOS/Windows, use the rawrite program that 
you downloaded. Just like with Linux, make one floppy 
from the kern.fip image, and another one from the 
mfsroot.fip image. 


DaemonNews.org 7 








C:XWINDOWS\TEMP>rawrite 

RaWrite 1.3 - Write disk file to raw floppy 

diskette 

Enter source file name: mfsroot.flp 
Enter destination drive: a: 

Please insert a formatted diskette into drive A: 
and press -ENTER- : 

Number of sectors per track for this disk is 18 
Writing image to drive A:. Press ''C to abort. 
Track: 79 Head: 1 Sector: 16 
Done. 

On the FreeBSD machine, insert the kernel floppy 
(kern.fip) in your floppy drive and boot from it. When 
prompted, insert the 'MFS roof floppy (mfsroot.flp). 

Run the kernel configuration utility in full-screen visual 
mode to clear any conflicts and ensure the kernel matches 
your hardware. For example, remove SCSI controllers if you 
don't have any, etc. On my system (where I don't have any 
SCSI controllers or a PS/2 mouse), here's the only active 
drivers I left enabled (I deleted the rest): 

Storage: 

ATA/ATAPI compatible disk controller ataO 14 

OxlfO 

ATA/ATAPI compatible disk controller atal 15 

0x170 

Floppy disk controller fdcO 6 0x3f0 
Networks: 

NEl000,NE2000,3C503,WD/SMC80xx Ethernet adapters 
edO 10 0x280 
Communications: 

Parallel Port chipset ppcO 7 

8250/16450/16550 Serial port sioO 4 0x3f8 

8250/16450/16550 Serial port siol 3 0x2f8 
Input: 

Keyboard atkbdO 1 

Syscons console driver scO 
Multimedia: 

Miscellaneous: 

Math coprocessor npxO 13 OxfO 

Note: If you have PCI-based Ethernet cards, you can 
delete all of the network cards in the list - yours will be 
found and configured automatically. If you're on the other 
end of the scale (like me) and you have two old NE2000- 
compliant ISA network cards, you'll only be able to 
configure one of them at this time (edO). After your 
installation is complete, you'll have to build a custom kernel 
& add in a "placeholder" for the 2nd generic ISA card, and 
then run through the kernel configuration utility again after 
you reboot. We'll do this at the end of this document. 

Flit 'Q' then 'Y' to save your changes and exit. 

From the main menu, choose a 'Standard' installation. 

In the FDISK Partition Editor, choose 'A' to use the entire 
disk. This will let FreeBSD take the entire disk and eliminate 
the need for a bootloader. At the warning, choose 'NO' when 
asked if you want to accept a dangerously dedicated disk. 
Press 'Q' to continue. 


In the Disklabel Editor, create the following partitions, 
then choose 'Q' to continue. Note that we want a separate 
/var partition so that firewall logs don't fill up other 
partitions and cause a denial of service: 

256MB swap partition 

256MB (or more, if you can) file system mounted as /var 

128MB file system mounted as / 

Remainder of your hard drive mounted as /usr 

Choose "Kern-Developer" as the Distribution you want to 
install by highlighting it and pressing the 'space' bar. 
Remember, this is going to become a gateway/firewall 
system, and you'll need the kernel source code to recompile 
IPFILTER into the kernel. Also, you don't need (or want) X 
Windows running on it. 

Select "Yes" to install the FreeBSD ports collection. 

Arrow back up to "«< X Exit" and hit the 'space' bar to 
exit the Distribution Menu 

Select either an FTP or FTP Passive install (depending on 
what your current network's firewall will support). 

Select "4.0 SNAP Server (releng4.freebsd.org)" as your 
Distribution Site 

Select your Ethernet card as the network interface to 
install from (e.g. "edO" if you're using a generic NE2000- 
compatible ISA card). 

Select "no" for IPv6 config 

Select "yes" for DHCP configuration if your network card 
is directly connected to your cable modem, etc. Select "no" 
if you're on a pre-existing network, then enter your 
interface configuration information manually - host name, 
domain name, IPv4 gateway IP address, name server IP 
address, IPv4 address, and netmask. 

At the "Last Chance" warning, select "yes". 

(System Installs...With a cable modem, the download and 
install took 22 minutes.) 

Miscellaneous configuration: 

Do you want this machine to function as a gateway? Yes 

Do you want to have anonymous FTP access to this 
machine? No 

Do you want to configure this machine as an NFS Server: 
No 

Do you want to configure this machine as an NFS Client: 
No 

Select "Yes" when asked "Do you want to select a default 
security profile for this host" Select "Extreme - Very 
restrictive security settings". Note that this turns off inetd 
- for firewalls, that's a "good thing". 

Select "Yes" when asked to modify the system console 
configuration. Under "Saver - Configure a screen saver", 
select "Fire - Flames effect screen saver"...or whatever 
screen saver you want. Then arrow up and select to "Exit - 
Exit this menu (returning to previous)" 
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Select "Yes" when asked "Would you like to set this 
machine's time zone now?" Then, select "No" when asked 
if your machine's CMOS clock is set to UTC. Then select the 
appropriate time zone - by region, country, and then the 
applicable time zone. 

Select "No" when asked if you'd like to install Linux Binary 
support. 

Select "No" when asked if you want to enable USB mouse 
support (unless, of course, you have one...) 

Make the following configuration changes for the mouse 
configuration, then enable it & test it, then select "Exit" to 
return to the previous menu. Note that I have a 2-button 
serial mouse - that's why I'm using C0M1 and 3-button 
emulation: 

Type: Auto 

Port: COM1 

Flags: -3 

When asked to browse the FreeBSD packages collection, 
select "Yes", then select the "4.0 SNAP Server" as the 
distribution site, elect to skip over a network 
reconfiguration (you've already done it correctly once...no 
need to do it again), and then install the following 
packages: 

WWW - lynx-2.8.3.1 

Editors - vim-lite-5.7.24 

FTP - ncftp3-3.0.2 

Mail - pine-4.33 


- mutt-1.2.5 

- elm+ME-2.4.88_1,1 

Net - cvsup-bin-16.1 

Shells - bash-2.0.4 

Then tab over and select "Install", select "OK" to confirm 
your choices 

(Packages are installed...takes about 60 seconds) 

Select "No" when asked if you want to add any additional 
user accounts. This is a firewall, not a common user 
machine, so we won't need any 

Set the 'root' password: ****** 

When asked if you'd like to visit the General Configuration 
menu to set any last options, select "Yes" and configure the 
following options: 

Networking: 

- Enable "ntpdate - Select a clock-synchronization 
server" 

- Enable "sshd - This machine wants to run the ssh 
daemon" 

Then select Exit and return to the previous menu, and 
then tab over and select "Exit Install" 

Select OK when asked if you're sure you want to exit the 
install & reboot the system. Remove your floppy disk 
(probably the mfsroot disk) and your system will reboot. 

(System reboots...) 
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You need a Software Configuration Management (SCM) tool you can rely 
on to doits job, so you can do yours. If it makes you wait or gets in your way, we 
know you won't use it That's why Perforce built an SCM tool that always 
moves as fast as you do. A careful database implementation and slight 
footprint ensures Perforce can turn around everyday operations in virtually 
zero time. Discover why over 40,000 developers rely on Perforce all day, every 
day. There's a free evaluation copy waiting for you. No questions. No forms. No 
salespeople. Simply download your copy at www.perforce.com. 

















Introduction 

XFree86 is a freely redistributable, open-source 
implementation of the X Window System that runs on a very 
wide variety of operating systems. Recent releases by the 
XFree86 Project, Inc. have included support for Darwin and 
Mac OS X. This article discusses the current status and usage 
instructions for XFree86 on Darwin and Mac OS X. 

There are two unique issues with XFree86 on Darwin and 
Mac OS X. Most obviously, Mac OS X already provides a full 
featured window server, Core Graphics Services, and a user 
friendly GUI, Aqua. It is still valuable to have an X window 
server to provide compatibility with the vast array of open- 
source Xll applications and to provide a convenient means 
of remote display. To be most useful, however, an X window 
server for Mac OS X needs to inter-operate with Aqua. 

Core Graphics and Aqua are not part of the open-source 
Darwin core of Mac OS X. Thus, it is also useful to have an 
X window server that relies only on the Darwin core to 
support Darwin as an independent open-source operating 
system. The second unique issue for XFree86 development is 
that Darwin uses a totally new means of interacting with 
hardware through the IOKit. 

XFree86 supports two display modes on Darwin and Mac 
OS X to address these issues. When run from the console in 
Darwin or Mac OS X, XFree86 uses IOKit mode. This is the 
default display mode for XFree86. On Mac OS X, Quartz mode 
is also available, named after the Quartz 2D compositing 
engine used by Aqua. In Quartz mode, the X server runs in 
parallel with Aqua on a separate "virtual screen". The user 
can easily switch back and forth between viewing the Aqua 
desktop and the Xll display. 

There are advantages and disadvantages to these 
approaches, particular with respect to support for third- 
party video cards. Because XFree86 on Darwin and Mac OS X 
relies on the IOKit, either directly or through Core Graphics, 
an IOKit driver is required for all video cards. The drivers 
provided by XFree86 for other platforms are not used, so the 
range of supported video cards is small at the current time. 
On the other hand, as vendors add support for Mac OS X, 
XFree86 will also be supported automatically. Another 


advantage is that the X server does not directly touch the 
hardware and thus does not need to be run as root. 

The first full release of XFree86 to support Darwin and Mac 
OS X was version 4.0.2. Version 4.0.3 was an incremental 
bug fix update. XFree86 4.1, due in late May, will be the 
first release to include support for Quartz mode. 


Installation 

Precompiled binaries of XFree86 for Darwin and Mac OS X 
are available from the XFree86 Project at 
http://XFree86.0rg/. The binaries are provided in gzipped 
tar format, affectionately known as "tarballs" and identified 
by a ".tgz" suffix to the file names. In addition, a custom 
version of the GNU tar utility named "extract" and a shell 
script named "Xinstall.sh" are provided. 

Download the Darwin binaries for the appropriate version 
of XFree86 from ftp://ftp.xfree86.org/pub/XFree86/. There 
are ten mandatory files for the Darwin distribution. 

1. Xinstall.sh The installer script 

2. extract The utility for extracting tarballs 

3. Xbin.tgz Xclients/utilities and run-time libraries 

4. Xlib.tgz Some data files required at run-time 

5. Xman.tgz Manual pages 

6. Xdoc.tgz XFree86 documentation 

7. Xfnts.tgz Base set of fonts 

8. Xfenc.tgz Base set of font encoding data 

9. Xetc.tgz Run-time configuration files 

10. Xxserv.tgz XDarwin IOKit-mode X server 


In addition to these files you may wish to download some 
or all of the other tarballs to add additional features. For 
XFree86 4.1, you will probably want to download 
xquartz. tgz which is the Quartz-mode X server for Mac OS 
X. 

If you are upgrading from an earlier version to XFree86 
4.1, it is strongly recommended that you move aside the 
/usr/xiiR6 and /etc/xii directories by using commands 
such as: 

sudo mv /usr/XllR6 /usr/XllR6_old 
sudo mv /etc/Xll /etc/Xll_old 
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Place all of the files you downloaded from the XFree86 
Project in a single directory, cd to that directory and run the 
Xinstall.sh script with the command "sudo sh 
xinstaii. sh". The installer may ask you a number of 
questions. Unless you have a nonstandard installation, the 
default answers should be okay. 

If you are familiar with using XFree86 on another 
platform, please note that there is no need to configure the 
X server on Darwin and Mac OS X. Configuration is not 
required or possible and the XF86Config file is not used. 
Some configuration that would have been done in 
XF86Config can be set using command line options. 

Using XFree86 

Once you are done with the installation, you need to add 
the directory /usr/xiiR6/bin, which contains the XFree86 
executables, to your path. You will also want to add the 
man pages from XFree86 in /usr/xiiR6/man to your 
manpath. The way to do this depends on the shell you are 
using. If you are using tcsh, which is the default shell on 
Darwin and Mac OS X, you should put the following lines in 

the file -/Library/init/tcsh/path: 

setenv PATH "${PATH}:/usr/XllR6/bin" 

setenv MANPATH "${MANPATH}:/usr/XllR6/man" 

You may need to create this directory tree and file. If you 
have already created a .cshrc or .tcshrc file, they will 
override the settings in -/Library/init/tcsh/path and 
you should put these lines in the .cshrc or .tcshrc file 
instead. On future logins these settings will take effect. 

To run XFree86 in IOKit mode you need to start it from the 
text console. If you are using Mac OS X, you need to 
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shutdown Core Graphics. To do this, logout and type 
">console" as the user name. Login to the text console and 
use the command "startx" to start XFree86. 

There are two ways to start XFree86 in Quartz mode on 
Mac OS X. From a terminal window you can use the 

command "startx-quartz". You can also launch the X 

server from the Finder by double-clicking XDarwin, which is 
installed in the /Applications folder. Either way of starting 
in Quartz mode executes the same X server, but starting 
with "startx" allows you to set some command line options 
that can not be specified through the "Preferences" menu of 
the XDarwin application. 

After you start the X server in Quartz mode, the screen will 
be taken over by Xll. You can switch back to the Aqua 
desktop by holding down the key combination "Command- 
Option-A". You can adjust this key combination in the 
XDarwin preferences. To switch back to Xll, click on the 
XDarwin icon in the dock. 

Future Plans 

XFree86 on Darwin and Mac OS X has a number of areas 
that need improvement to bring it on a par with XFree86 on 
other platforms. One very noticeable problem is that the X 
server does not use any acceleration and draws directly to 
the framebuffer in both IOKit and Quartz modes. In 
addition, many of the XFree86 extensions to Xll are not 
supported. Another obvious place to improve is integration 
with the Aqua environment. A rootless X server which could 
display X windows on the Aqua desktop is highly desirable. 
The XonX Team (http://www.sourceforge/projects/xonx) is 
working to address all of these issues in future versions of 
XFree86. 









printer, which also tended to dog the printing head when 
not used for a month and bought a fast, affordable, duplex 
laser printer. After configuring the print subsystem in a 
convenient way, I am able to really print things 

I wanted to control the printer easily: printing files in the 
printer's native HPLJ PCL language or in Ghostscript, 
simplex or duplex, printing on both sides of a page, with 
150, 300 or 600dpi, with Ghostscript output 
optimised for half-tone or line graphics 
images, and so on. 

Well, one problem is that the BSD print 
subsystem is rather ugly and 
underpowered. By comparison, the 
SVR4 print subsystem is not 
exciting either, but much less 
underpowered and more ugly. 

The problem is that control of 
the file format filters is very 
inflexible. 

There are only few predefined 
filter types. In SVR4, there can 
be any number of filters defined 
with any name. There is also no 
way to combine the filters in a 
pipeline controlled by Ipr's 
options, and no way to pass 
arguments from Ipr's command 
line. 

To work around these problems, people 
often turn to dirty tricks. I'm no exception. 

The first typical trick is to define multiple logical printers 
for a single physical one. I've defined the following: 

Ipt - no filters at all, just dump the file to the printer as 
it is. Useful for printing files already in the HPLJ PCL 
language. 

Ip (also known as the default printer) - printing of raw 
text files in the portrait orientation. 

Ipl - printing of raw text files in landscape orientation. 

Ip4 - printing of Postscript files filtered through 
Ghostscript, translating them to the LaserJet-4 (A.K.A. 
PCL5) format at 300dpi. 

Ip4150 - the same thing but at 150dpi. 

Ip4600 - the same thing but at 600dpi. 

Ip5g - printing of Postscript files filtered through 
Ghostscript, translating them to the LaserJet-5 (A.K.A. 
PCL6) format at 600dpi with the resolution enhancement 
technique (which is supposed to simulate the resolution of 
1200dpi) in gray-shade mode. 

Ip5m - the same thing but with resolution enhancement 
in monochrome mode. This printer also has aliases "Ipps" 
and "ps", to remember it easily as the default Postscript 
printer. 


Why so many variations ? 

First, in the plain text files LF 
has to be replaced by CR-LF and 
that needs a filter. 

If you don't know what that 
means; text files in Unix have lines 
terminated with a single character 
OxA, also known as Line Feed or LF 
- it's expected to move the cursor 
to the start of next line. But the 
LaserJet language has a different, 
pickier, understanding of this 
character: it moves the current position 
to the next line but leaves it in the current 
column instead of returing it to the start of the 

line. 

The character OxD also known as Carriage Return or CR is 
required to return the current position to the beginning of 
the line. So every LF in the text file has to be converted to 
a CR-LF pair before printing. 

Second, despite what the HP white papers say, PCL6 
documents are much larger than PCL5 ones. So transmitting 
them to the printer takes longer, and Ghostscript works 
slower as well. I like it when computers work fast, so in 
cases when the quality is not important I'd rather save time 
by using PCL5. For the same reason lower resolution may be 
a good thing too. 

All these printers share the same output file but still have 
to have different spooling directories, so their records in 
/etc/printcap would look like: 

lptI local line printer - transparent:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpt:\ 

:If=/var/log/lpd-errs: 

lpI local line printer:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpd:\ 

:If=/var/log/lpd-errs: 

lplI local line printer-landscape orientation:\ 

:lp=/dev/lpt0:sd=/var/spool/output/lpl:\ 

:If=/var/log/lpd-errs: 
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only for classic line printers. The printers which understand 
the advanced page description languages usually have 
problems when multiple print jobs are concatenated 
together. As a result, we will only consider the input filters 
further. 

The "catch all" input filter is specified as parameter "if". 
For my printer "Ip" this filter should convert all LFs to CR- 
LF pairs. There is also an issue of the Form Feed character 
at the end of file: this character is required by the PCL 
printers at the end of each page. If a file does not contain 
this character at the end its last page will not be printed. 
An obvious solution is to add this character in the filter, 
although if this character is present in the file and then 
added once more in the filter, an extra empty page will be 
printed at the end. So I wrote a small filter program that 
tries to solve this issue intelligently and add the final Form 
Feed only if it's missing. So the printer definition would 
look like: 

lp!local line printer:\ 

: sh: rax# 0 : \ 

: if=/usr/local /1 p /1 j : \ ~ ~ 

:lp~/dev/Ipt0:sd=/var/spool/output/ipd:\ 

:If=/var/log/ipd-errs: 




And the source code of /usr/iocal/ip/ij is: 


Simple filter for LaserJet printers, to•be 
used in :if=.'..: in /etc/printcap. If the 
parameter '-c'is passed (from lor -ijf then the 
data is passed through, else LP are changed to 
CR/LF. Does not make extra form feed 


#include <stdio,h> 

#include <s.tring.h> 


int 

rnain(ac, av) 
int ac ; 
char **av 


st rcmp {av E 13/ "~c") } 


if(crlf) | 


while(( c=getchar() )!e 
if {c~~ ’ \,n 1 ) 
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lp5m|lppsIps|Postscript - best mono:\ 


lp=/dev/lptO:sd=/var/spool/output/lp5m:\ 
If=/var/log/lpd-errs: 


For those who don't know about /etc/printcap, it is the 
file where all the printers are described as a set of 
configuration parameters also known as "capabilities", see 
the printcap man page for details). 

The print daemon, Ipd, provides interlocking between 
processes trying to open the same device, so this trick is 
safe and the printed files won't get intermixed with each 
other, even if spooled to different logical printers on the 
same physical printer at the same time. Instead one file will 
be printed first, followed by another, and so on. 

There are two more parameters which should normally be 
defined for all printers, so a complete definition would look 
like: 

lptI local line printer - transparent:! 

:sh:mx#0:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpt:\ 

:If=/var/log/lpd-errs: 


:sh: disables printing of banner pages which are an 
inheritance of old line printers. :mx#0: allows you to print 
files of unlimited size. If it is not set then the file size will 
be limited to 1000KB by default and this limit is far too low 
for typical print jobs with graphics. 

Now it's time to look at the filters. Lpd provides two kinds 


oi imerS, mpUi MiieiS dilG OUipUi iiiiefS, emu uie uXcill fuiub 


for their use are weird and strange. For each particular 
printer, you can define only one output filter but multiple 
input filters for different types of input files (one of these 
types is "catch all the rest"). For each file being printed no 
more than one filter is used, with a direct consequence that 
if a "catch all" input filter is specified, the output filter will 
never be used. If there are no suitable filters specified, lpd 
will just pass the file as it is and add the Form Feed 
character (with code OxC) at the end. 

An important difference is that a separate input filter is 
started for each print job but an output filter can be carried 
between multiple consecutive print jobs, which are 
concatenated together. This makes the output filters useful 
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putchar( '\r') ; 
putchar(c); 
last=c; 

} 

} else { 

vihile(( c=getchar() ) !=BOF) { 
putchar(c); 
last=c; 

} 

} 

/* if no form feed at the end then add it */ 
if(lastl='\f') 

putchar(' \f') ; 
return 0; 

} 

As you can see, the filter reads the data from its standard 
input, does some processing and prints it to the standard 
output. It also takes some arguments describing the print 
job. We will look closer at these arguments when discussing 
banners. This filter uses only one of the arguments, the 
option "-c". This option is passed to the "catch all" input 
filter when Ipr is called with the option "-1" meaning "pass 
the file transparently". So the result of commands 
Ipr -plpt sanefile and lpr -Pip -1 sanefile would be almost 
identical except that in the first case the Form Feed at the 
end of file would always be added while in the second case 
only if it's missing in the file. 

Other file types can be specified with other options of lpr: 
-c - cifplot 
-d - EWI (TeX) 

-g - plot 
-n - ditroff 

-f - source code in Fortran 
d: - tzoff 

-v - raster image 

For each of these types a separate input filter can be 
defined. The name of the filter configuration parameter 
corresponds to its option name, "cf" for "-c" and so on. 

These options were born when many different page 
description languages were widespread and thus different 
conversions had to be done for different printers. Nowadays 
PostScript is the common language and most programs can 
generate data directly in PostScript. The best approach 
therefore, is to make all printers understand PostScript, and 
to put these options to more interesting uses. As quite a 
few of these old file formats are now obsolete, reusing their 
options looks like a good idea. 

I reuse the option "-d" to enable duplex mode (printing 
on both sides of a page) and "-n" to disable it. If no option 
is specified, the printer's default setting will be used. The 
DVI format is not obsolete but dvi2ps can be used to print 
TeX files. Logically it would be a pipeline from two filters, 
like: 

-d: cat file I /usr/local/lp/lj \ 

I /usr/ local / lp/duplex on 
-n: cat file I /usr/local/lp/lj \ 

I /usr/local/lp/duplex off 

But the print subsystem calls only one filter and does not 


allow such pipelines. So we make a workaround: we call 
"duplex" with the name of the preceding filter as an 
argument like: 

-d: cat file I /usr/local/lp/djplex cn lj 
-n: cat file I /usr/local/lp/duplex off lj 

But that does not work because no arguments for the 
filters can be specified in /etc/printcap. The next step is a 
workaround of a workaround: encode the argument in the 
name of the filter, like: 

-d: cat file I /usr/local/lp/c^.cn. lj 
-n: cat file I /usr/local/lp/c^.off. lj 

And then create symbolic links with these encoded names 
to the actual duplex filter: 

In -s /usr/local/lp/duplex \ 

/usr/local/lp/dp. cn. 1 j 
In -s /usr/local/lp/dLplex \ 

/usr/local/lp/dp. of f. 1 j 

The source code of the duplex filter itself is: 

#!/bin/sh 

# 

# make a link with the name 

# dp.{on|off}.real_filter 

nm='basename "$0"' 

FLTDIR='echo "$0" | sed 's|/[ A /]*$l/l’' 

SWITCH='expr "x$nm" : 'x.*\.\(.*\)\..*’' 

FILTER='expr "x$nm" : 'x.*\..*\.\(.*\T 

case "$SWITCH" in 
on|0N) 

printf '\033%%-12345X@PJL SET DUPLEX=0N\n' 
printf ’@PJL SET BINDING=LONGEDGE\n' 
printf '\033E' 

off | OFF) 

printf '\033%%-12345X@PJL SET DUPLEX=0FF\n' 
printf '\033E' 

*) 

echo "duplex: unknown switch, must be on or off" 

>&2 

exit 1 

esac 

${FLTDIR}${FILTER} && printf '\033%%-12345X\033E' 

This script uses PJL, the HP Printer Job Language of the 
LaserJet5-compatible printers, to control the printer 
settings for a job. Actually, that trick with the Form Feed I 
did in the "lj" filter was not strictly necessary: I could have 
instead wrapped the job into a PJL wraparound with the 
same result except the potentially missing FormFeed at the 
end of the job may cause a little delay when printing. 
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The resulting printcap entry would be: 

Ip I local line printer: \ 

:sh:mx#0:\ 

: if=/usr/local/lp/l j: \ 

: df=/usr/local/lp/dp. cn. 1j:\ 

:nf=/usr/local/lp/dp.off. lj: \ 

: lp=/dev/lptO: sd=/var/spool/output/lpd: \ 

: lf=/var/log/lpd-errs: 

To define a logical printer with landscape orientation we 
use the same trick: 

lplllocal line printer - landscape orientation: \ 

:sh:mx#0: \ 

: if=/usr/local/lp/cfc)l. off. 1 j: \ 

: df=/usr/local/lp/dpl. cn. 1 j: \ 

:nf=/usr/local/lp/dpl .off. 1 j: \ 

: lp=/ dev/lptO: sd=/var/spool/output/lpl: \ 

: lf=/var/log/lpd-errs: 

Note that for this printer, if the duplex option is not 
specified, the duplex will be disabled by default, while for 
the printer "Ip" it was left to the printer's default. 

The scripts dpi.* are symbolic links to duplex-lsc: 

#!/bin/sh 

# 

# make a link with the name 

# dpl.{on|off}.real_filter 

nm='basename "$0"' 

FLTDIR='echo "$0" | sed 's|/[ A /]*$|/|'' 

SWITCH='expr "x$nm" : 'x.*\.\(.*\)\..*’' 

FILTER='expr "x$nm" : 

case "JSWITCH" in 
on|0N) 

printf '\033%%-12345X@PJL SET DUPLEX=ON\n' 
printf '@PJL SET BINDING=SHORTEDGE\n' 
printf '@PJL SET ORIENTATION=LANDSCAPE\n' 
printf '\033E' 

off | OFF) 

printf '\033%%-12345X@PJL SET DUPLEX=OFF\n' 
printf '@PJL SET ORIENTATION=LANDSCAPE\n' 
printf '\033E' 

*) 

echo "duplex-lsc: unknown switch, must be on or 

off" >&2 

exit 1 

f r 

esac 

${FLTDIR}${FILTER} && printf '\033%%-12345X\033E' 

This script is very like "duplex" except that it explicitly 
sets the page orientation and specifies a different binding 
direction for duplex. There could be a better way to specify 
a combination of job control settings as arguments for a 


single script but in this case creation of a separate script 
for landscape orientation was simpler. 

Finally we get to the PostScript support. Of course, one 
way to get it is to buy a built-in PostScript module for the 
printer. Another way is to use the Ghostscript converter. I 
consider using Ghostscript a far better solution. First, it's 
free compared to approximately $200 for a built-in module 
plus some money for extra printer memory to let this module 
run. Second, the CPUs in modern PCs are usually much 
faster than in the printers, and the rasterisation of 
PostScript page descriptions is quite CPU-intensive. Of 
course, consuming the CPU cycles on a server machine is 
not such a good idea but for a workstation this is fine. 
Third, Ghostscript contains fewer bugs and implements more 
advanced levels of the PostScript language than most of the 
PostScript modules for printers. Fourth, as new features are 
introduced into PostScript, Ghostscript can be easily 
upgraded while the built-in implementations are usually not 
upgradable; their only upgrade path is buying a new printer. 
Fifth, if a PostScript file is buggy it's much easier to get 
diagnostics from Ghostscript than from a printer. 

Since I defined multiple logical printers for various 
resolutions, I needed multiple Ghostscript filter scripts as 
well, defined in /etc/printcap as: 
lp4|local line printer: \ 

:sh:inx#0: \ 

: if=/usr/local/lp/gs4: \ 

: df=/usr/local/lp/c%). on. gs4: \ 

: nf=/usr/local/lp/c%3. of f. gs4: \ 

: lp=/dev/lptO: sd=/var/spool/output/lp4: \ 

: lf=/var/log/lpd-errs: 
lp41501 local line printer: \ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs4150:\ 

:df=/usr/local/lp/dp.on.gs4150: \ 

:nf=/usr/local/lp/dp.off.gs4150:\ 

:lp=/dev/lptO:sd=/var/spool/output/lp415 0:\ 

: lf=/var/log/lpd-errs: 
lp4600|local line printer :\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs4600: \ 

:df=/usr/local/lp/dp.on.gs4600:\ 

: nf=/usr/ local / lp/c%>. of f. gs4600: \ 

:lp=/dev/lptO:sd=/var/spool/output/lp4 600:\ 

: If=/var/log/lpd-errs: 
lp5g | Poscscript - best gray:\ 

:sh:mx#0:\ 

: if=/usr/local/lp/gs5gray: \ 

: df=/usr/local/lp/dp. on. gs5gray: \ 

: nf=/usr/local/lp/c%). of f. gs5gray: \ 

: lp=/dev/lptO: sd= / var / spool /output / lp5g: \ 

: lf=/var/lcg/lpd-errs: 
lp5m | lpps | ps I Postscript - best rruno:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs5mono:\ 

: df=/usr / local / lp/dp. on. gs5mono: \ 

:nf=/usr/local/lp/dp. off. gs5mono: \ 

: lp=/dev/lptO: sd=/var/spool/output/lp5m: \ 

: If=/var/log/lpd-errs: 

Note that I reused the same duplex wrapper as for the 
simpler filters. Internally I made these Ghostscript filters 
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call a common script /usr/local/lp/gsfilter with 
varying options: 

gs4 : 

#!/bin/sh 

exec /usr/local/lp/gsfilter -sDEVICE=l jet4 -r300 

gs4150: 

#!/bin/sh 

exec /usr/local/lp/gsfilter -sDEVICE=ljet4 -rl50 

gs4600: 

#!/bin/sh 

exec /usr/local/lp/gsfilter -sDEVICE=ljet4 -r600 

gs5gray: 

#!/bin/sh 

exec /usr/local/lp/gsfilter -sDEVICE=ljSgray -r600 

gs5mono: 

#!/bin/sh 

exec /usr/local/lp/gsfilter -sDEVICE=lj5mono -r600 

The first version of gsfilter was simple: 

#!/bin/sh 

exec /usr/local/bin/gs -sOutputFile=- -dSAFER \ 
-dNOPAUSE -q 

Note the option -dSAFER: filters do not run with the 
privileges of the user who submitted the job but as pseudo¬ 
user "daemon" (the owner of many system processes). If 
this option is not specified, that would allow malicious 
users to overwrite many files on the system. Even with - 
dSAFER present there still is an issue left whereby any user 
may read some sensitive files. While this not such a big 
issue for my home machine, in a production environment 
you should run Ghostscript in a chroot-ed cage. 

Unforunately, when Ghostscript finds a bug in the fiLe 
being printed it outputs the error message to its standard 
out where it gets mixed in with the result of the 
conversion, usually causing the printer to waste a lot of 
paper printing gibberish. 

Since Ghostscript is unable to write its error messages to 
standard error, the only way to separate them from the 
normal output was to write the normal output somewhere 
else and do redirection: 

#!/bin/sh 

exec nice -1 /usr/local/bin/gs \ 
-sOutputFile=/dev/fd/3 -dSAFER \ 

-dNOPAUSE -q "$@" 3>&1 >&2 

Here /dev/fd/3 is a special system pseudo-device that is 
connected to the 3rd file descriptor of the process that 
opens it. I also added the "nice" command 
to reduce the priority of the filter compared with other 
processes. 

This version of the script is able to produce decent error 
messages which are as usually sent by e-mail to the owner 
of the job. 

For convenience I also added Ghostscript filters to the 
printers "Ip" and "Ipl" when they are requested with options 
"-v" and "-g". So the full resulting /etc/printcap is: 


# forced duplex goes as -d, simplex ("normal") 

# as -n -v for Ghostscript in mono images -g 

# for Ghostscript in gray-scale images to 

# Combine duplex and Ghostscript use other 

# printers 

lpI local line printer:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/lj:\ 
:df=/usr/local/lp/dp.on.lj:\ 

:nf=/usr/local/lp/dp.off.1j:\ 

:vf=/usr/local/lp/gs5mono:\ 

:gf=/usr/local/lp/gs5gray:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpd:\ 

:If=/var/log/lpd-errs: 

lplI local line printer-landscape orientation:\ 
:sh:mx#0:\ 

:if=/usr/local/lp/dpl.off.1j:\ 

:df=/usr/local/lp/dpl.on.1j:\ 

:nf=/usr/local/lp/dpl.off.1j:\ 

:vf=/usr/local/lp/dpi.on.gs5mono:\ 
:gf=/usr/local/lp/dpl.on.gs5gray:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpl:\ 

:If=/var/log/lpd-errs: 

# this one has no filters, just pass-through 
lptI local line printer - transparent:\ 

:sh:mx#0:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpt:\ 

:If=/var/log/lpd-errs: 

# all the variations as separate printers 

# forced duplex goes as -d, simplex ("normal") 

# as -n 

lp4|local line printer:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs4:\ 
:df=/usr/local/lp/dp.on.gs4:\ 

:nf=/usr/local/lp/dp.off.gs4:\ 

:lp=/dev/lptO:sd=/var/spool/output/lp4:\ 

:If=/var/log/lpd-errs: 
lp4150|local line printer:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs4150:\ 

:df=/usr/local/lp/dp.on.gs4150:\ 

:nf=/usr/local/lp/dp.off.gs4150:\ 

:lp=/dev/lptO:sd=/var/spool/output/lp4150:\ 

:If=/var/log/lpd-errs: 
lp4600|local line printer:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs4600:\ 
:df=/usr/local/lp/dp.on.gs4600:\ 

:nf=/usr/local/lp/dp.off.gs4600:\ 

:lp=/dev/lptO:sd=/var/spool/output/lp4600:\ 

:If=/var/log/lpd-errs: 
lp5gIPoscscript - best gray:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs5gray:\ 

:df=/usr/local/lp/dp.on.gs5gray:\ 

:nf=/usr/local/lp/dp.off.gs5gray:\ 

:lp=/dev/lpt0:sd=/var/spool/output/lp5g:\ 

:lf=/var/log/lpd-errs: 
lp5m | lppsIps|Postscript - best mono:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/gs5mono:\ 

:df=/usr/local/lp/dp.on.gs5mono:\ 

:nf=/usr/local/lp/dp.off.gs5mono:\ 

:lp=/dev/lpt0:sd=/var/spool/output/lp5m:\ 

:If=/var/log/lpd-errs: 
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Note that printing in Landscape orientation through the 
Ghostscript filter makes no sense as Ghostscript will 
override the page orientation. But setting the duplex 
binding direction to landscape mode still makes sense, so 
the Ghostscript filters are defined for the printer "Ipl" with 
duplex on. 

Banner Sheets 

For my home printer I don't need a banner sheet. 
Although at work, I use a network printer and I need the 
banner to distinguish my printer jobs from those of others. 
Lpd provides some rudimentary banners but they are in 
some ways inadequate as they are in plain text format 
which does confuse PostScript printers. This rudimentary 
banner could be wrapped into a PostScript page, although 
it is generated only when the output filter is used, which 
as we have seen, is somewhat unusable nowadays. 

However, input filters can be used in a slightly 
unorthodox way to generate banner sheets. When a filter 
runs it gets some arguments from lpd. These arguments are 
different for the filter "if" and all other filters: 

if_filter [-c] -wwidth -1 length -Undent -n 
login -h host acct-file 

other_filter -xwidth -ylength -n login -h host 
acct-file 

Login and host are what we need for banner generation 
and "acct-file" is the value of the "af" capability in 
/etc/printcap - used to pass some printer-specific 
information to the script. I use it to pass the printer name 
and then use this name to extract more information about 
the job, although of course this data can also be passed in 
the name of the filter as in the previous examples. If this 
value is the same for all the filters on a printer then placing 
it in "af" lets us avoid repeating it for each filter. 

The printer definition looks like: 
tpb346r|PostScript printer (transparent):\ 

:if=/usr/local/lp/filter/pstflt:\ 

:af=tpb346r:\ 


and the banner printing is done in the filter as follows: 
#!/bin/sh 

BASEDIR=/usr/local/lp/filter 

prtbanner() 

{ 

cat $BASEDIR/banner.ps 
echo "/smallbanner {" 
if [ -n "$LPRINTER" ] 
then 

{ 

echo "" 
echo "" 


echo "Host: $H0ST" 
echo "User: $USER" 
echo "Printer: $LPRINTER" 
echo "Job: " 
echo "" 

Ipq -P$LPRINTER -l | sed 'l,2d;/: 

lst/,$d' 

} | $BASEDIR/bnr2ps 
fi 

echo "} def" 

echo "('date '+%a %H:%M %h %d, %Y’')" 
echo "('hostname')" 
echo "banner" 

} 

args='getopt cw:l:i:n:h:x:y: $*' 

[ $? -eq 0 ] || exit 1 
set -- $args 

for i 
do 

case "$i" in 
-c) shift;; 

-w|-l|-i|-x|-y) shift; shift;; 

-n) USER="$2"; 

shift; shift;; 

-h) H0ST="$2"; 

shift; shift;; 

—) shift; break;; 
esac 

done 

LPRINTER=$1 

prtbanner 

/bin/cat 

Here banner.ps is a PostScript file with a prototype 
banner having the standard look defined by our IT 
department and bnr2ps is a small program converting the 
data into the arguments format expected by that PostScript 
file. 

Note how the "Ipq" command is used in an unusual way, 
to get the name of the current job by the printer name. This 
trick would not have been required if lpd would pass this 
information directly. 

Network printing 

The capabilities "rm" and "rp" in /etc/printcap are used 
to print to a remote printer, "rm" specifies the name of the 
print server host, 

"rp" is the printer name at that host. And of course the 
capability "Ip" is not needed for a remote printer. Only the 
"if" filters are used at both local host before sending the 
data and at remote host before printing it (or the "of" 
filters). 
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Using other filters is not permitted. The file 
/etc/hosts.Ipd is used on the server to control the access 
to the printers from remote hosts. 

The typical /etc/printcap entries would look like: 

On the server: 

lptI local line printer - transparent:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/cat:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpt:\ 

:If=/var/log/lpd-errs: 

With /usr/iocai/ip/cat containing: 

#!/bin/sh 
exec /bin/cat 

On the client: 

rpI remote printer:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/lj:\ 

:rm=remote.host.at.domain:rp=lpt:\ 

:sd=/var/spool/output/rp:If=/var/log/lpd- 

errs: 

Using "cat" as input filter on one side is required to avoid 
printing 

an extra empty page after the request because if no filter 
is specified, Ipd adds a Form Feed by itself, "/bin/cat" can 
not be specified as the parameter "if" because the input 
filters are called with arguments unexpected by 

"/bin/cat". 

Another, probably better, way for HP compatible printers 
is to use a PJL job control filter: 

lptI local line printer - transparent:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/job:\ 

:lp=/dev/lptO:sd=/var/spool/output/lpt:\ 

:If=/var/log/lpd-errs: 

With /usr/iocai/ip/job containing: 

#!/bin/sh 

printf '\033%%-12345X@PJL\n\033E' 

/bin/cat 

printf '\033%%-12345X\033E' 

Some hardware print servers use proprietary network 
protocols, with manufacturers usually providing the source 
code of their communication programs. To use these 
programs a local printer may be defined with a filter that 
will pass the data to this communication program instead 
of passing it through. The printer definition would look 
like: 

lpwI network printer - weird:\ 
sh:mx#0:\ 

if=/usr/local/lp/redirect:\ 
lp=/dev/null:sd=/var/spool/output/lpw:\ 

If=/var/log/lpd-errs: 


#!/bin/sh 

/usr/local/lp/proprietary_program \ 

server_name printer_port 

An interesting twist is to use another call to Ipr instead 
of a proprietary program, that would allow specifying 
various file types for an usual network printer. For example: 

rpf|network printer - with many filters:\ 

:sh:mx#0:\ 

:if=/usr/local/lp/dp.off.redirect:\ 
:df=/usr/local/lp/dp.on.redirect:\ 

:nf=/usr/local/lp/dp.off.redirect:\ 

:lp=/dev/null:sd=/var/spool/output/rpf:\ 

:If=/var/log/lpd-errs: 

With the script /usr/local/lp/redirect containing: 

#!/bin/sh 

Ipr -Prp 

LPRng 

A new version of the print spooling subsystem is available 
from Patrick Powell, the next generation is named LPRng. It 
seems like all the problems I described and more are solved 
successfully, although I have not looked closely at it. 
Please look at http://www.lprng.org/ for more information. 

See also 

Some information about PJL can be found by searching at 
the HP Web site. A slightly more detailed description of PJL 
is available in the book "Developer's Guide to HP Printers" 
by Norman E. Smith, ISBN 1-55622-603-9. Though 
generally this book is not quite useful and a better name 
for it would be "Guide to HP Printers for Complete Idiots". 
Another interesting thing is that different printers 
implement different subsets of PJL. Manual pages include 
lpr(l), printcap(5) and lpd(8). 

Printers 

Anticipating the question, what do I mean by a "fast, 
affordable, duplex printer", I use a NEC 1800. Initially I was 
looking for a cheap model but when I saw a duplex printer 
at a reasonable price I just could not pass it by. Compared 
to HP 2100, NEC 1800 has duplex mode and a real front 
panel, larger standard memory, not requiring me to buy 
more memory immediately together with the printer, higher 
speed, higher duty cycle, lower toner cost per page and 
lower price of the printer itself. And all these wonderful 
things for $700, including shipping, not including the sales 
tax. So I just felt tantalized. I bought it over a year ago and 
I'm still quite happy with it. 


Note that no data ever passes through the filter, so the 
output device is set to /dev/nuii. The script 
/usr/iocai/ip/redirect would look somewhat like: 
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Installing BIND8 From Ports 

Over the past two months, there have been two security 
issues regarding bind. If you didn't upgrade for the first 
notice, then the recent worm threat should have prompted 
you to get moving. Back in January, when the initial bind 
security notice was issued, some talk was made of how best 
to upgrade with minimal effect. Some preferred 
downloaded the source code and installing. I preferred the 
port. 

The main problem with the port was that it installed to a 
different location than bind which was included with the 
base system. This is a normal. And expected. However, 
there is an easy way around this using flags passed to make. 
The basis for this article is a message I posted to the 
FreeBSD Security mailing list back in January. 


if you already have it installed 

$ pkg_info I grep bind 

bind-8.2.3 The Berkeley Internet Name Daemon, an 

implementation of DNS 

If you don't have bind already installed via a package 
or port (i.e. the above grep showed nothing), you can omit 
this step. 

Now we delete that: 

# pkg_delete bind-8.2.3 

4. Install 

It is important to know that the options used for building 
must be the same options used for installing. If you do a 
make, then a make install, please ensure that you use the 
same options on both commands. For the install, I did this: 

cd /usr/ports/net/bind8 


The Install 

I think the best way to do this, if you are upgrading, is 
to perform the following steps: 

build 

kill 

remove 

install 


make PREFIX=/usr \ 
PIDDIR=/var/run \ 

DESTETC =/etc/namedb \ 

DESTEXEC=/usr/1ibexec \ 

DE STRUN =/var/run \ 
DESTSBIN=/usr/sbin \ 
DESTHELP=/usr/share/misc install 


check 
start. 
recheck 

It is important to know that the options used for building 
must be the same options used for installing. If you do a 
make, then a make install, please ensure that you use the 
same options on both commands. You will see this being 
done for the build and the install below. 


5. Check 

You should check that you have the correct version 
installed: 

$ /usr/sbin/named -v 

named 8.2.3-REL Mon Mar 12 22:43:17 NZDT 2001 
root@xeon.int.nz.freebsd.org:/usr/obj/usr/src/us 
r.sbin/named 


1. Build 

Since I have the entire ports tree installed, all I needed 
to do was: 

cd /usr/ports/net/bind8 
make PREFIX=/usr \ 

PIDDIR=/var/run \ 

DESTETC=/etc/namedb \ 

DESTEXEC=/usr/Iibexec \ 

DESTRUN=/var/run \ 

DESTSBIN=/usr/sbin \ 

DESTHELP=/usr/share/misc 

2. Kill 

First, I killed the existing named: 

killall -QUIT named 

3. Remove 

If you already have installed bind from ports, you will 
have to remove it before you install. Here's how to find out 


As at the time of writing, this was the latest and greatest 
version of bind8. You could install bind9, but for me, that's 
not an option right now. Perhaps one day... 

6. Start 

bind can be started automagically using configuration 
settings within /etc/rc.conf. You can view the default 
settings with the following command: 

$ grep named /etc/defaults/rc.conf 

Do not modify /etc/defauits/rc.conf . These are the 
default settings and used as examples for /etc/rc.conf. 
Make all your changes to /etc/rc.conf. 

Here are the settings I use in my /etc/rc.conf file: 

named_enable="YES" 

named_flags="-u bind -g bind" 

Here's how you can start bind using the above settings: 

/usr/sbin/named -u bind -g bind 
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/usr/sbin/named -u bind -g bind 

7. Recheck 

Checking the logs I found this: 

starting (/etc/namedb/named.conf). named 8.2.3- 
REL Mon Mar 12 22:43:17 NZDT 2001 
root@xeon.int.nz.freebsd.org:/usr/obj/usr/src/us 
r.sbin/named limit files set to fdlimit (1024) 
Ready to answer queries. 

That is the version of bind I was expecting. 

Repeat as necessary 

There's one great thing about a port. After it's installed, 
it looks just like a package. In fact there's no difference 
between an installed port and an installed packaged. 

So what? 

If you have ten DNS servers to update, you don't have to 
download the source to each box. You can make a package. 
And ftp that to each box and then install the package. For 
example, you could do this: 

cd /usr/ports/net/bind8 

make PREFIX=/usr PIDDIR=/var/run 

DESTETC=/etc/namedb 

DESTEXEC=/usr/libexec DESTRUN=/var/run 
DESTSBIN=/usr/sbin 
DESTHELP=/usr/share/misc package 

This should create bind-8.2.3.tgz. Copy that file to 
your other box[es] and do this (remember to kill and 
remove first!) to install: 

pkg_add bind-8.2.3.tgz 


A Final Note 

One vital aspect of security is paying attention. And 
acting when necessary. One thing you should pay attention 
to is security advisories. If you have not already done, I 
urge you to subscribe to the FreeBSD Security mailing list. 
All security notifications are sent to this list. 

When you get a notification, you should decide whether 
or not it applies to you. Not all notices will apply to 
everyone (perhaps you don't have that software installed; 
perhaps you have already upgraded and you already have 
the patches). It usually takes a half hour or so to patch a 
single box. Security notices are not issued lightly. They are 
real risks which need to be dealt with. Taking the time now 
to upgrade might save you hours later if someone does 
break into your system. 

It's not so much the damage that an intruder might do. 
That's usually pretty obvious. It's what you don't see that 
you should worry about. After any intrusion, you cannot 
trust the system. A back door may be present. Some 
people feel that the only real way to secure a box after an 
intrusion is to reinstall. It's easier to patch. Do it now. 


Dan Langille <dan@FreeBSDDiary.org> 


Then you'll have the same code as you have on the other 
box. After the install, remember to do your check, start, 
and recheck. 



FreeBSD — A complete all-in-one package 


The FreeBSD compilation includes: 

(•) Full source code for the entire operating system, with an 
integrated build environment including the kernel and all 
applications. 

The original, highly acclaimed, industrial-strength Berkeley 
TCP/IP network stack and services. 

(^) A rich range of additional networking software, such as PPP, 

PPPoE, Network Address Translation (NAT), firewall capabilities, 
multi-protocol routing, and thousands more. Plus a wide 
selection of web servers, browsers, and email software. 


If you want stable networking, a powerful 
development environment, and guaranteed 
rock-solid performance — 

FreeBSD is the operating system for you! 


Just ask Yahoo and Inktomi! 


Available at http://mall.daemonnews.org 
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Marty Schlacter <martinschlacter@satx.rr.com> 


After you have FreeBSD installed, using the article found 
earlier in this magazine, It will probably take about 2-3 
hours to add in IPFILTER support as well as to finish the rest 
of the configuration. Here's what we're going to do in this 
section (in no particular order): 

Compile IPFILTER into the kernel and configure IPFILTER, 
IPNAT, and IPMON 

Configure IPMON so that it logs to syslog, but modify 
syslog so that the firewall messages get their own file and 
then update newsyslog so that the firewall's logs get 
rotated 

Install and configure Tripwire 

Compile VESA support into the kernel and change our 
screen resolution to 132x43. 

Configure syslogd so that it won't accept connections 
from other machines (i.e. prevent it from being a 'listening' 
service) 

Add support for (and configure) a second Ethernet 
interface (if you have 2 ISA cards) 

Configure TCP-Wrappers so that access to SSH is locked 
down to your local network only 

Configure SSH so that it will only accept SSH sessions 
from IPv4 systems and rejects connections from users it 
doesn't have the RSA key for 

Disable unused services in inetd (just in case it 
accidentally gets turned on later) 

Add a warning banner 

Configure cvsup and update your ports collection 

Make BASH the default shell for 'root' & configure root's 
BASH environment 

Redirect root's email to your "normal" account so that it 
doesn't back up on the firewall. 

Add an entry for our host in its own /etc/hosts table. 

In order to save time. I'm going to do some steps in what 
will appear to be an "out of order" sequence. This is being 
done on purpose so that we will minimize the number of re¬ 
boots you'll have to do. In fact, the goal is to configure the 


system, then recompile the kernel, and when the system 
reboots, you're done. That's it. 

Bash Setup 

Make "bash" the default shell for 'root' and perform an 
initial set up of root's bash environment. 

Use FreeBSD's password file manipulation utility, vipw, to 
modify root's default shell. At a root prompt, type vipw. A 
copy of the /etc/passwd file will be displayed. Use 
standard vi editing commands to change root's default shell 
from /bin/csh (all of the way at the end of the first line) 
to /usr/iocal/bin/bash. While you're already editing the 
file, go ahead and change root's unofficial name 'Charlie &' 
to 'Super-User' or any other name that envisions Superman, 
etc. When you get mail from root (e.g. from the cron jobs 
that run every night), it'll now be maked as coming from 
'Super-User' and not 'Charlie &'...just a little bit nicer. Save 
and exit. 

Create a .bashrc file in root's home directory (/root) and 
enter the following items as a starting point. After the file 
has been created, chmod 600 on it so that it's only readable 
and writable by root. 

umask 077 

PS1="[\u@\h \W]\\$ ■ 

alias ls='ls -alFG' 

Create a .bash_profiie file in root's home directory and 
enter the following items as a starting point. After the file 
has been created, chmod 600 on it so that it's only readable 
and writable by root. 

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bi 
n:/usr/local/sbin:$HOME/bin; export PATH 

umask 077 

PS1="[\u@\h \W]\\$ - 

alias ls='ls -alFG' 

Test your settings by logging out and logging back in 
again. Verify that you're using the bash shell, your cursor 
line looks different (i.e. it has your userid & current working 
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after you configure cvsup and update your ports collection, 
you might want to re-run 'cvsup /etc/ports-supfile' 

every once in a while to ensure your ports collection is up- 
to-date in case you want to install any new software. 

# cp /usr/share/examples/cvsup/ports-supflie /etc 

# vi /etc/ports-supfile 


Inetd 

Modify / etc /itifetd. conf so that every line is commented 
out...just in case it gets accidentally turned on later. More 
specifically, the following 6 lines are enabled in a default 
install of inetd. Comment them out by placing a "#" at the 
beginning of each line. There's no need to kill and restart 
inetd after your done...because you're not running inetd. 
We're only doing this just in case it accidentally gets turned 
on later. 

ftp stream tcp nowait root /usr/1ibexec/ftpd 
ftpd -I 

teinefc gw'/ etream' ■ :t‘ep ■' ■ nowai t root 

/usi' | 1 iboxoc /1o 1 netd telnetd 
corns vat dgram udp wait tty: tty” 

/usr/1ibexec/cornsa t comsat 
ntalk dgram udp wait tty: tty 

/usr /l ibexec /n tailed ntaikd 
ftp stream ccpb nowait root /usr/1ibexec/ftpd 

ftpd -I 

telnet stream tcp 6 nowait root 

/usr/libexec/telnetd telneta 


SSH Daemon 

Modify the SSH daemon configuration file, 
/ e t c / s sh / s ’shd„c on fig, so that it reads as follows. The 
comments in the file explain what we’re locking down and 
why. 

# This is ssh server systemwide configuration 
ri file. Listen on port 22, the standard 


directory), and that you get colorized directory listings. 

E-mail Reconfigure 

Redirect root's email to your "normal" email account so 
that it doesn't get backed up the firewall 

Use vim to open the /etc/aliases file for editing. 

Modify line that says "# root: me@my.domain" by 
removing the "#" comment at the beginning of the line, and 
then modifying the "me@my.domain" email address so that 
it points to your "normal" email address instead. 

After saving and exiting, run the command "newaiiases" 
from the command prompt to update the email alias 
database. 

Add an entry for our host in its own hosts table, so you 
don't get those annoying sendmail error messages. 

Use vim to open the /etc/hosts file for editing. 

After line 11, the one with the entry for 127.0.0.1, add a 
new line similar to this one, except change the IP address 
and hostname to the "real" ones you're using: 

192.168.1.1 firewall firewall.yourdomain.net 

Save and exit. 

Warning Banner. 

Use vim to replace your /etc/motd file with the following 
text or some other equivalent legal disclaimer: 

******* WAF > NING ******** 

THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR 
AUTHORIZED USE ONLY. UNAUTHORIZED ACCESS IS 
STRICTLY PROHIBITED AND MAY BE PUNISHABLE UNDER THE 
COMPUTER FRAUD AND ABUSE ACT OF 1986 OR OTHER 
APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS 
SYSTEM, DISCONNECT NOW. BY CONTINUING, YOU CONSENT 
TO YOUR KEYSTROKES AND DATA CONTENT BEING 
MONITORED. ALL PERSONS ARE HEREBY NOTIFIED THAT THE 
USE OF THIS SYSTEM CONSTITUTES CONSENT TO 
MONITORING AND AUDITING. 

******* WAF , NING ******** 

CVSUP 

Configure cvsup and update your ports collection. Note: 
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Install and configure Tripwire 

First, install gmake from the FreeBSD ports collection: 

# cd /usr/ports/devel/gmake 

# make && make install 

Download Tripwire-2.3.1-2 from sourceforge.net. If a new 
version exists, then use it instead. The configuration 
changes itemized, below, should remain consistent between 
versions of Tripwire. If not, please email me with suggested 
corrections. 

# cd /root 

# lynx http://download.sourceforge.net/tripwire 

- Use the down-arrow to move through the hyperlinks 
until the file, tripwire-2.3.i-2.tar.gz, is highlighted, 
then press [Enter] 

- When asked if you want to D)ownload the file, or 
C)ancel, hit'd' - ...file downloads... 

- After the file downloads, you'll be presented with lynx's 
Download Options screen. The 'Save to disk' hyperlink is 
automatically highlighted in red, so just hit [Enter]. 

- Either accept the original filename by pressing [Enter], 
or modify the filename then hit [Enter] to save it. 

- After the file is saved, press 'q' to quit lynx. 

# gunzip tripwire-2.3.1-2.tar.gz 

# tar xvf tripwire-2.3.1-2.tar 


Port 22 

# Support SSH Protocol 1 only (SSH l.X 

# baseline), which means RSA keys are used 

# Protocol 1 Listen on your internal network's 

# address only so that hackers from the 

# internet can't access the SSH daemon 

# on your box and try to log on. Note that 

# you'll have to change 192.168.1.1 to whatever 

# IP address your internal NIC has. 

ListenAddress 192.168.1.1 

# Standard settings for a bunch of 

# stuff...HostKey, ServerKeyBits, 

# LoginGraceTime, etc. 

HostKey /etc/ssh/ssh_host_key 
ServerKeyBits 768 
LoginGraceTime 120 
KeyRegenerationlnterval 3600 
StrictModes yes 

PrintMotd yes 
KeepAlive yes 
CheckMail no 

# Permit 'root' login... that's the only account 

# we have on this box anyway 
PermitRootLogin yes 

# After 10 unauthenticated connections, refuse 

# 30% of the new ones, and refuse any more 

# than 60 total. 

MaxStartups 10:30:60 

# Don't read -/.rhosts and -/.shosts files 
IgnoreRhosts yes 

# Don’t trust -/.ssh/known_hosts for 

# RhostsRSAAuthentication 
IgnoreUserKnownHosts yes 

# Disable Xll forwarding...we're not even 

# running X on our firewall 
XllForwarding no 

# Implement severe logging...potentially 

# invasive, but we're the only authorized 

# users & we do have a legal warning banner, so 

# everyone's been warned.... 

SyslogFacility AUTH 
LogLevel DEBUG 

# Set up SSHD so that you must have a RSA key 

# in root's authorized_keys file to 

# successfully log in. No Rhosts, no 

# PasswordAuthentication, etc. 
RhostsAuthentication no 
RhostsRSAAuthentication no 
RSAAuthentication yes 
PasswordAuthentication no 
PermitEmptyPasswords no 
UseLogin no 

Hosts. Allow 

Open up your /etc/hosts.allow file, delete all of the 
lines, and ensure that it reads as follows. Note that 
192.168.1.0 is the address space of your internal network 
in this example. If you're using a different internal address 
space (e.g. 10.10.10.0), then make the appropriate 
modifications. 

# hosts.allow access control file for "tcp 
wrapped" applications. 

ALL : localhost 127.0.0.1 : allow 
sshd : 192.168.1.0/255.255.255.0 : allow 
ALL : ALL : deny 


Modify the Makefile so that it will compile for FreeBSD 

# cd tripwire-2.3.1-2/src 

# vim Makefile 

- Add a comment at the beginning of line 82 (SYSPRE = 
i686-pc-linux) 

- Remove the '#' comment delimeter at the beginning of 
line 84 (SYSPRE = i386-unknown-freebsd) 

- Save and exit. 

Compile Tripwire. On a P-200MMX, this takes almost an 
hour. 

# gmake release 

Configure and install Tripwire 

Open Tripwire's installation configuration file using vim, 
and edit it as follows 

# cd ../install/ 

# vim install.cfg 

Change line 27 to 'TWBIN="/usr/local/sbin'" 

Change line 30 to 'TWPOLICY="/usr/local/etc/tripwire'" 
Change line 33 to 'TWMAN="/usr/share/man'" 

Change line 36 to 'TWDB="/usr/local/lib/tripwire'" 

Change line 39 to 'TWDOCS="/usr/share/doc/tripwire"' 
Change line 51 to , TWEDITOR="/usr/local/bin/vim'" 
Change line 88 to 'TWMAILPROGRAM="/usr/sbin/sendmail 
-oi -t'" 

Save and exit. 

Open Tripwire's installation script using vim, and edit it 
as follows 

# vim install.sh 
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- Change line 319 to , EULA_PATH="../$TWLICENSEFILE"' 

- Change line 491 to 'BIN_DIR="../bin/i386-unknown- 
freebsd_r"' 

- Change lines 621-638 as follows: 

fl=' ff=$README ; d="/.." ; dd=$TWDOCS ; rr=0444 ' 
f2=' ff=$REL_NOTES ; d="/.." ; dd=$TWD0CS ; rr=0444 1 
f3=' ff=$TWLICENSEFILE ; d="/.." ; dd=$TWD0CS ; 
rr=0444 1 

f4=' ff=tripwire ; d="/../bin/i386-unknown-freebsd_r" ; 
dd=$TWBIN ; rr=0550 ' 

f5=' ff=twadmin ; d="/../bin/i386-unknown-freebsd_r" ; 
dd=$TWBIN ; rr=0550 ' 

f6=' ff=twprint; d="/../bin/i386-unknown-freebsd_r" ; 
dd=$TWBIN ; rr=0550 ' 

f7=' ff=siggen ; d="/../bin/i386-unknown-freebsd_r" ; 
dd=$TWBIN ; rr=0550 ' 

f8=' ff=TRADEMARK ; d="/.." ; dd=$TWD0CS ; rr=0444 ' 
fg=' ff=policyguide.txt; d="/../policy" > dd=$TWD0CS ; 
rr=0444 ' 

f 10=' ff=twpol.txt; d="/../policy" ; dd=$TWPOLICY ; 
rr=0640 ' 

fll=' ff=twpolicy.4 ; d="/../man/man4" ; 

dd=$TWMAN/man4 ; rr=0444 ' 

fl2=' ff=twconfig.4 ; d="/../man/man4" ; 

dd=$TWMAN/man4 ; rr=0444 ' 

fl3=' ff=twfiles.5 ; d="/../man/man5" ; 

dd=$TWMAN/man5 ; rr=0444 ' 

fl4=' ff=siggen.8 ; d="/../man/man8" ; 

dd=$TWMAN/man8 ; rr=0444 ' 

fl5=' ff=tripwire.8 ; d="/../man/man8" ; 

dd=$TWMAN/man8 ; rr=0444 ' 

fl6=' ff=twadmin.8 ; d="/../man/man8" ; 

dd=$TWMAN/man8 ; rr=0444 ' 

fl7=' ff=twintro.8 ; d="/../man/man8" ; 

dd=$TWMAN/man8 ; rr=0444 ' 

fl8=' ff=twprint.8 ; d="/../man/man8" ; 

rr=0444 ' 


dd=$TWMAN/man8 

- Save and exit. 

Install Tripwire 

# ./install.sh 

- Answer 'y' to continue with the installation 

- Press [Enter] to view the license agreement...when 
complete, type ’accept’ and [Enter] 

- The install script will verify that sendmail and vim are 
installed, then verify that the tripwire binaries are 
available, and then echo back all of the configuration 
parameters for the installation script (e.g. TWBIN, TWMAN, 
etc.). If everything looks good, answer ’y’ to continue with 
the installation. 

- The install script copies all of the files, the asks you to 
enter a new site keyfile passphrase. Enter it, and then enter 
it again when asked to verify it. 

- The install script then asks you to enter a new local 
keyfile passphrase. Enter it, and then enter it again when 
asked to verify it. 


- The install script will then create a signed configuration 
file, but will need you to enter the site passphrase you just 
set, above. Enter it. 

- The install script will then create a signed policy file, 
but will need you to enter the site passphrase you just set, 
above. Enter it. 

- ...installation is complete. 

Install a new Tripwire text policy file. Replace the 
contents of the file /usr/local/etc/tripwire/twpol.txt with 
one suited for FreeBSD. A functional Tripwire policy 
configuration file for FreeBSD-4.2 is available at 
http://www.daemonnews.org/200105/twpol.txt, but feel 
free to edit it based upon your own special installation and 
configuration. 

Re-generate the Tripwire policy file and database - Now 
that you have a good Tripwire text policy file, we need to 
actually create the policy file from it and the Tripwire 
database itself. To do that, just type the following 
commands: 

# twadmin --create-polfile \ 

/usr/local/etc/tripwire/twpol.txt 

# tripwire --init 


Create a cron job to check the integrity of your system 
every day at 4AM: 

# cd /etc 

# vi crontab 


- Add the following line to the file: 

0 4 * * * root /usr/local/bin/tripwire --check 


In the future, when you want to interactively check your 
system for changes, and then incorporate those changes 
into the Tripwire database, run the following command. 
After you run it, you’ll be presented with a report of the 
policy violations. Edit it with vim, leaving an Y next to 
each policy violation that you want the database updated 
with. Then edit and save. 

# tripwire -check -interactive 


rc.conf 

Edit your /etc/rc.conf file and make the following 
changes. Miscellaneous cleanup. Towards the middle of the 
file, there’s a line that reads ’sshd_enable="NO"’, yet at the 
bottom of the file, there’s a line that reads 
’sshd_enable=”YES"’. Delete the first one (the one that 
says "NO") and keep the one that says "YES" 

Add the following lines at the bottom of the file to 
support 132x43 screen resolution, after we compile VESA 
support into the kernel, below. 

font8x8="/usr/share/syscons/fonts/iso02-8x8.fnt" 
allscreens_flags="132x43" 


Add the following line at the bottom of the file so that 
syslog won't log to remote machines, nor will it accept logs 
from remote machines. This still allows syslog to function. 
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but stops it from being a 'listening' service. 

syslogd_flags="-ss" 

Add the following line at the bottom of the file so that 
SSHD only listens for IPv4 addresses 

sshd_flags="-4" 

Add the following lines at the bottom of the file so that 
IPFILTER, IPNAT, and IPMON will work correctly after we 
compile support for it into the kernel and create the 
appropriate files, below. Note, the options for ipmon 
perform the following - D causes it to run as a daemon, s 
tells it to log to syslog rather than a file, v tells it to log 
the tcp window, ack and sequence fields, and n tells it to 
map the IP addresses and port numbers back to hostnames 
and service names. 

ip fi11 er_enable="YES" 
ipmon_enable="YES" 
ipmon_flags="-Dsvn" 
ipnat_enable="YES" 

Modify the following Line so that your 2nd ISA network 
card is a valid network interface. Note, we're adding "edl" 
to the 'network_interfaces' line that was already there. 
network_interfaces="edO edl loO" 

Add the following line so that your new 2nd ISA network 
card is configured correctly. Again, we're assuming that 
you're using 192.168.1.0 as the internal network: 
ifconfig_edl="inet 192.168.1.1 netmask 255.255.255.0" 
Set up a separate logfile so that our firewall logs are 
separated from the rest of the standard syslog events. 

Create a new file for the firewall logs with the following 
commands: 

# touch /var/log/firewall_logs 

# chmod 600 /var/log/firewall_logs 

Modify your syslog configuration file /etc/syslog.conf 


so that the IPFILTER logged events (logged with IPMON) are 
sent to your new separate firewall log file. Insert the 
following line at the top of the file: 

localO.* /var/log/firewall_logs 

Modify your newsyslog configuration file 
(/etc/newsyslog.conf) so that your new firewall log files 
get rotated just like the primary syslog file 
(/var/iog/messages). Add the following new line to the 
bottom of the file: 

/var/log/firewall_logs 600 5 100 * Z 

Create your IPFILTER and IPNAT rulesets 

Using vim, create a new IPFILTER firewall ruleset, 
/etc/ipf .rules, and add the following lines to it. Note: 
The assumption is that edO is the "outside" interface (i.e. 
connected to your ISP), and edl is the "inside" interface 
(i.e. connected to your internal network). Also note that 
we're not performing egress filtering here. We're blocking 
all inbound packets from the internet and allowing all 
internal network packets out (and keeping state on them so 
that they're allowed back in). After your box is configured 
to your liking, I heavily recommend implementing egress 
filtering. And as a final note, since we're using IPFILTER's 
stateful packet inspection abilities, we don't need to reject 
traffic spoofing non-routable or reserved addresses...they'll 
be blocked automatically since they don't match a 
corresponding packet in the state table. Use this IPFILTER 
ruleset as a starting point. After you have everything 
running, add in whatever you want (egress filtering, 
protection from non-routable addresses, IP spoofing 
protection, etc.) to complete the job. This is only a starting 
point. 


# Outside Interface — Allow out all TCP, UDP, and ICMP traffic & keep state on it so that it's allowed back in. 
pass out quick on edO proto tcp from any to any keep state 

pass out quick on edO proto udp from any to any keep state 
pass out quick on edO proto icmp from any to any keep state 
block out quick on edO all 

# Allow bootp traffic in from your ISP's DHCP server only. Replace X.X.X.X/32 with your ISP's DHCP server address, 
pass in quick on edO proto udp from X.X.X.X/32 to any port = 68 keep state 

# Block and log all remaining traffic coming into the firewall 

# - Block TCP with a RST (to make it appear as if the service isn't listening) 

# - Block UDP with an ICMP Port Unreachable (to make it appear as if the service isn't listening) 

# - Block all remaining traffic the good 'ol fashioned way 
block return-rst in log quick on edO proto tcp from any to any 

block return-icmp-as-dest(port-unr) in log quick on edO proto udp from any to any 
block in log quick on edO all 

# Inside Interface 

# Allow out all TCP, UDP, and ICMP traffic & keep state 
pass out quick on edl proto tcp from any to any keep state 
pass out quick on edl proto udp from any to any keep state 
pass out quick on edl proto icmp from any to any keep state 

# Allow in all TCP, UDP, and ICMP traffic & keep state 
pass in quick on edl proto tcp from any to any keep state 
pass in quick on edl proto udp from any to any keep state 
pass in quick on edl proto icmp from any to any keep state 
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Using vim, create a new IPNAT translation ruleset, 
/etc/ipnat.rules, & add the following lines to it. This single 
line will take all packets going out on your external NIC 
(edO) that have a source address coming from your internal 
network (192.168.1.0), and translates it to whatever IP 
address your external NIC happens to have at that time 
(translating it to "0/32" is the way IPNAT does it), 
map edO 192.168.1.0/24 -> 0/32 
Compile your kernel for IPFILTER support, VESA support, 
and your 2nd ISA Ethernet card 
Change directory into /usr/src/sys/i386/conf 
cd /usr/src/sys/i386/conf 

Copy the file GENERIC to a new file - typically named after 
your hostname (I'll assume that your hostname is 
"FIREWALL") 
cp GENERIC FIREWALL 

Using vim, edit your new file, FIREWALL, and make the 
following changes: 

In line 2 of the file (part of the main comment block) 
change the word, GENERIC, to your hostname, FIREWALL. 

On line 18 of the file (still part of the main comment 
block), change the word, GENERIC, to your hostname, 
FIREWALL 

On lines 21-24, comment out the "cpu" lines so that only 
the one for your specific chip is left. For a Pentium MMX, I 
commented out all of them except line 23 - cpu "I586_CPU" 
On line 25, change the value of the ident parameter so 
that it's your hostname, FIREWALL 
Starting at about line 32 (right after the line with 
"options INET"), add the following 3 new lines to add 
IPFILTER support into your firewall and have it 
automatically block all packets by default: 
options IPFILTER 
options IPFILTER_L0G 
options IPFILTER_DEFAULT_BLOCK 
At about line 130 (immediately following the line "device 
vgaO at isa?"), add the following line to add support for 
VESA video modes (for 132x43 resolution): 
options VESA 

At about line 194, (in the networking portion...right after 
the title "ISA Ethernet NICs" and after the line with "device 
edO at isa? port 0x280 irq 10 iomem 0xd8000"), add the 
following new line to add support for a 2nd generic 
NE2000-compatible ISA Ethernet card. Pre-configure the 
IRQ and port* to whatever your 2nd ISA Ethernet card is 
configured to (to save you a little time after you reboot): 
device edl at isa? port 0x280 irq 10 iomem 0xd8000 
After saving your kernel configuration file, FIREWALL, 
type the following commands in this order to compile your 
kernel (assuming the name is "FIREWALL"), install it, and 
then reboot your system. Note that you're starting this 
sequence while you're still in the /usr/src/sys/i386/conf 
directory. With my old 200MFIz Pentium MMX (overclocked 
to 225MHz) with 96MB or RAM, the "make depend" 
command took 5 minutes; the "make" command took 25 


minutes; and the "make install" command took less than a 
minute. 

[root@numa conf]# /usr/sbin/config -g FIREWALL 
[root@numa conf]# cd ../../compile/FIREWALL 
[root@numa FIREWALL]# make depend 
[root@numa FIREWALL]# make 
[root@numa FIREWALL]# make install 
[root@numa FIREWALL]# shutdown -r now 
As the system is rebooting, go through the kernel 
reconfiguration process if you need to configure your 2nd 
generic NE2000-compatible ISA Ethernet Card. 

To do this, interrupt the boot process by hitting the 
[space bar] when you see the following: 

Flit [Enter] to boot immediately, or any other key for 
command prompt. 

Booting [kernel] in 9 seconds... 

Then, at the '>' prompt, type 'boot -c' and hit [Enter]. 
This will boot into the Kernel Configuration Utility 
Then, at the next '>' prompt (usually '"config>") type 'v' 
and hit [Enter] to start the Kernel Configuration Utility in 
visual mode. This will drop you off at the step 6 of the first 
section of this document (Installing FreeBSD-STABLE). This 
time, you'll see support for your 2nd Ethernet card, edl. 
Configure the IRQ and Port, then save and continue booting 
After the system boots, you should have a completely 
working firewall. Make sure you add a copy of your public 
SSH key to the /root/.ssh/authorized_keys file so that you 
can SSH to your firewall to perform maintenance. And since 
you modified the authorized_keys file, you'll need to update 
your tripwire database, as well, so you don't get notified of 
policy violations. 

Of Course it Runs NetBSD 

http://www.netbsd.org 
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Introduction 

When I first got to Massachusetts in February, I was put 
into temporary housing which was provided to me by work. 
I was stuck using a dial-up account from home, which 
wasn't so bad — at least I had 'net access. However, since 
I was using Earthlink, and many mail servers block mail 
originating from them even if relayed through their mail 
servers (which I was doing), I wanted a way to use a 
machine at work as my relay instead. 

An easy way to do so would have been to allow relay for 
earthlink.net through the machine I was going to use as 
my relay. This would have been bad, and as a result was an 
unacceptable option. You'd have to be a serious 
cracksmoker to open up a machine to relay for Earthlink. 
Spammers would sniff it out fairly quickly, and proceed to 
hammer it. To get around this, I decided to set up an SSH 
tunnel from a port on my laptop to port 25 on the mail 
server. It was a fairly easy task, and well worth it in the 
long run. The remainder of this article will explain how I 
set things up. 

Set up the Tunnel 

The first thing I decided was to establish the tunnel as a 
non-root user. Since the tunnel was going to exist for 
solely mail relaying purposes, I created a relay user on 
both my laptop and the server in question. I also ran ssh- 
keygen(l) and gave the relay user an empty passphrase. If 
you're overly paranoid, you can use a passphrase and then 
use ssh-agent(l). The way I figure is if someone gets into 
my laptop, I have more things to worry about than them 
sending mail through my relay. 



now that we have the user created, 
Hj^r the next step is to actually make sure we 
can establish the tunnel. This is done by 
y doing the following: 

% su relay 
Password: 

% ssh -2 -N -f \ 

L 9595:mail.domain.com:25 mail.domain.com 


J Here's an explanation of the above: 

The % su relay part allows you to become the relay 
user. 

The ssh command is a little more in-depth. 

The -2 flag tells ssh that we should use SSH v2. We want 
to use v2 because the ssh process can be sent to the 
background without running a command using the -N flag. 

-n is only available in v2 and is very useful when you 
want to simply forward ports. 

The -f tells ssh to go into the background. 

-L tells ssh that the given port on the local side is 
supposed to be forwarded to the given port on the remote 
side. Therefore, -l 9595:maii.domain.com:25 forwards 
local port 9595 to remote port 25 on mail.domain.com. The 
mail.domain.com at the end is the hostname of the 
machine we're connecting to. 

After running the command above, you should be able to 
telnet to port 9595 on the local machine and see that it's 
really forwarded to port 25 on the remote machine: 

% telnet localhost 9595 

Trying 127.0.0.1... 

Connected to localhost. 

Escape character is ' A ] ' . 

220 mai1.domain.com ESMTP Sendmai1 

8.11.3/8.11.3; Wed, 4 Apr 2001 
09:00:10 -0400 (EOT) 


Now it's time to put this into a script that will run from 

/usr/local/etc/rcid at boot. 
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This is more elaborate than what's needed, however, I like 
the fact that changing part of the script can be done by 
changing the variables at the top. If you don't want to use 
the variables, you don't have to - you can just replace 
them with the commands in the script. 

Put the script in /usr/iocai/etc/rc.d (I've named it 
relay.sh, make it executable, and it will start your tunnel 
at boot. 


The Script 

In order to keep our script up to par with the other scripts 
put in /usr/local/etc/rc.d, and to keep shutdown from 
complaining that we're using an "old-style" script, we have 
to give it start and stop options. An easy way to do this is 
look look at other scripts in the directory (if there are any 
others there), oomysqi-ciient.sh and apache.sh are good 
examples if you have either of those installed. 

Here's what the script looks like: 

#i/bin/sh 


MTA Configuration 

The only thing left to do now is set up your MTA to use 
port 9595 on the local machine as your relay or "smart 
host". I'm currently using Postfix on my laptop. The 
relevant part of my /usr/local/etc/postfix/main.cf 
looks like this: 

relayhost = [localhost]:9595 


# define a few variables 

s1eep=/bin/sleep. 

su=/usr/bin/su 

ssh=/usr/bin/ssh 

sshflags=”-2 -N -f -L" 

host=mail.domain . com 

tunnel-9595:mail . domain.com:25 

killall-/usr/bin/killall 


Add the above line and then restart postfix. 

If you're using sendmaii, it's a little more involved than 
that. Here's what you'll need to add to the me file you use 
to generate your sendmaii. cf: 
define('RELAY_MAILER_ARGS' , 'TCP $h 9595')dnl 
define('SMART_HOST 1 , 'relay:localhost *)dnl 

MODIFY_MAILER_FLAGS('RELAY’, '-k ’ )dnl 


stop) 


Now regenerate your sendmaii.cf, restart sendmaii, and 
you're ready to use your SSH tunnel to send mail. 


•n * mail 


Jim Mock <jim@freebsdzine.org> 
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Wasabi Systems: 
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ranged from full-scale NetBSD customization for a new network 
infrastructure product, to dramatically improving NetBSD’s NFS 
performance. Whatever the task, we bring you both performance and peace 
of mind, no matter how complex your project’s needs — from mailservers 
to MIPS boxes, firewalls to food processors. 


To learn more about what Wasabi can do for you, 
or to purchase Wasabi NetBSD on CD-ROM, visit our website, 
www.wasabisystems.com, or email us at info@wasabisystems.com. 




